Zeus-related Botnet Servers Taken Offline

About a week ok a massive sting operation took down large parts of the Mariposa botnet in Spain and the USA and the latest news is large parts of Zeus-related botnets have been taken offline.

Most of the action in this case happened in Eastern Europe where once again network peers have pulled the plug on downstream ISPs serving dodgy customers.

At least a quarter of the command and control servers linked to Zeus-related botnets have suddenly gone quiet, continuing a recent trend of takedowns hitting some of the world’s most nefarious cyber operations.

The massive drop is the result of actions taken by two Eastern European network providers. On Tuesday, they pulled the plug on their downstream customers, including an ISP known a Troyak, according to Mary Landesman, a senior researcher with ScanSafe, a web security firm recently acquired by Cisco Systems. That in turn severed the connections of servers used to control large numbers of computers infected by a do-it-yourself crime kit known as Zeus.

Landesman said she was able to confirm figures provided by Zeus Tracker that found the number of active control servers related to Zeus had dropped from 249 to 181. The takedown came on Tuesday around 10:22 am GMT and was heralded by a sudden drop off in the number of malware attacks ScanSafe blocks from affected IP addresses.

The most interesting part for me is that a few days prior to the take-down Zeus-related activity went up in intensity 10-fold (from 1% to 10% on the ScanSafe network). This to the paranoid would indicate forewarning and the bot herders pushing out more malware to make sure they still have a good infection base even after the ISP plug gets pulled.

Either way it’ll be interesting to see if these actions will have any lasting effect. Either way I’m pleased something is being done and all this network bandwidth wasting crapware is being taken offline.

The takedown is the result of two network service providers, Ukraine-based Ihome and Russia-based Oversun Mercury, severing their ties with Troyak, said Landesman, who cited data returned by Robotex.com. The move meant that all the ISP’s customers, law-abiding or otherwise, were immediately unable to connect to the outside world.

“That’s a pretty interesting development and I think a very positive one, because they’re now putting the shared costs on the network service provider,” Landesman told The Register. “There’s not always a lot of impetus for these network service providers to take action, but as soon as you have such a severe repercussion where they’re actually not able to serve any of their customers, legitimate or otherwise, they’re now sharing in that cost.”

The takedown comes a week after authorities in Spain and the United States clipped the wings of the Mariposa botnet. One of the world’s biggest botnets, it controlled almost 13 million infected computers and infiltrated more than half of the Fortune 1000 companies. Late last month, Microsoft was able to disrupt the Waledac botnet by obtaining a court-issued order against scores of domains associated with the spam-spewing menace.

Back in November 2008 we covered the McColo case quite extensively when the ‘spam-friendly’ ISP was taken offline by it’s upstream peer. By April 2009 however, spam had reached back to 91% of its original mass..showing that you can’t stop them for long.

Honestly I’d imagine this is the case here too, there’s plenty more places they can peddle their malware and host their control servers. Plus the level of general awareness on infection vectors by the general public is extremely low.

People are still going to get infected and we are still going to have to put up with degraded networks.